pdf (90.18 KB)

Submission by the Office of the Privacy Commissioner to the Senate Legal and Constitutional Legislation Committee

November 2005

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Privacy Act 1988 (the Privacy Act) covers Australian and ACT Government agencies, businesses with an annual turnover of more than $3 million, the private health sector, small businesses that trade in personal information and credit providers and credit reporting agencies. The Privacy Commissioner has responsibilities under the Privacy Act and other federal legislation to regulate the way agencies and organisations collect, use, store and disclose individual's personal information.

Background and overview

2. In April 2002 and August 2004, the Office made submissions to the Senate Legal and Constitutional Committee Inquiries into, respectively, the Security Legislation Amendment (Terrorism) Bill 2002 (and related Bills)[1] and the Anti-Terrorism Bill (No.2) 2004.[2]

3. The Office remains of the view, expressed in those submissions, that there should be an appropriate balance between the need for security and the right to privacy.

4. The right to privacy is not an absolute. It is often necessary to balance privacy with other important social interests, such as the safety and security of the community. This does not diminish the role played by privacy in democratic societies in according individuals the freedom to pursue their daily lives with appropriate respect, dignity and anonymity. Rather, the challenge is to how to achieve an appropriate balance.

5. The Office welcomes the Committee’s Inquiry into the Anti-Terrorism Bill (No.2) 2005 (the Bill) and hopes that this submission will assist the Committee in its consideration of the Bill. The Committee should note that the scope of the submission is limited to matters relevant to privacy issues.

6. The Office notes that a number of new provisions contained in the Bill will expand the power of law enforcement and intelligence agencies to collect personal information about individuals, including through routine surveillance and electronic tracking. Any such expansion is likely to diminish, to varying degrees, the privacy of individuals by reducing their ability to control personal information about themselves.

7. The Office has not commented on every proposed amendment in the Bill. However, as a general point, in relation to the creation of new offences, or the amendment of existing offences, for example; by changes to definitions of offences, law enforcement or intelligence agencies will be permitted to perform acts and practices that may otherwise, in the absence of that change, constitute an interference with an individual’s privacy. Such changes as proposed in the Bill should be proportional to the need for greater security.

8. As one means of making judgements between competing priorities, such as privacy and security, the Office has developed and refined a framework by which new legislative measures could be assessed (see Attachment 1).

9. This framework is underpinned by the recognition that measures that diminish privacy should only be undertaken where they are necessary and proportional to address the immediate need, and are subject to appropriate and ongoing accountability measures and review. The Office commends the framework to the Committee when it is considering the Bill.

10. The Office also notes that some aspects of the Bill, specifically Schedules 8 and 9, would benefit from a formal Privacy Impact Assessment (PIA). Such an assessment process has particular value where an initiative involves the following:

• the handling of personal information in large quantities and its aggregation into large databases
• the personal information involved is sensitive information, such as financial information and
• the initiative is significant, for example; in its size, complexity or scope.

11. It is likely that a PIA would clarify the need and inform the development of these schedules of the Bill, and assist any subsequent implementation of them.

Application of the Privacy Act to the Bill

12. The Privacy Act sets out 11 Information Privacy Principles (IPPs) that govern the way Australian Government agencies (and their outsourced providers) collect, use, disclose and handle personal information. The principles also give individuals the right to gain access to information held about them and they oblige agencies to correct information if it is inaccurate. In a similar way, many private sector organisations are governed by the National Privacy Principles (NPPs) as set out in Schedule 3 of the Privacy Act.

13. There are exceptions under both the IPPs and the NPPs that allow agencies or organisations to use or disclose personal information when it is ‘required or authorised by or under law’. These exceptions may lessen the protection of an individual’s personal information that would have otherwise been provided by the Privacy Act.

14. While it is accepted that there is a need for governments to combat threats to national security such as terrorism, they should also be concerned to ensure that individuals’ personal information, most particularly in the case of persons about whom there is no cause for suspicion, is only collected, used and disclosed, when this is clearly necessary.

Provision for review of the amendments introduced by the Bill

15. Clause 4 of the Bill states the Council of Australian Governments (COAG) agreed on 27 September 2005 that Schedules 1, 3, 4 and 5 be reviewed after 5 years, together with certain unspecified state law.

16. The Office supports the intent of this clause. However, it is the Office’s view that given the amendments made by this Bill in relation to privacy issues, it is desirable that a transparent review of these amendments be conducted at a specified time. The current drafting of clause 4 does not appear to impose a clear statutory obligation on any party to initiate and conduct such a review.

17. Further, the office suggests there are several Schedules that may impact on the way personal information is collected and handled and would benefit from review for oversight reasons and/or to maintain consistency with other legislative developments. These are:

• Schedule 6, which affords increased powers to the Australian Federal Police to demand documents without judicial oversight, including in contexts unrelated to terrorism
• Schedule 8, on optical surveillance in airports which may be affected by the development of proposed national guidelines on the use of CCTV and
• Schedule 9, on financial transaction reporting, which may be affected by ongoing reform in Anti-Money Laundering (AML) regulation.

18. In considering a suitable mechanism for review the Office suggests as a model section 4 of the Security Legislation Amendment (Terrorism) Act 2002.

Schedule 4—Control orders and preventative detention orders

19. Schedule 4 introduces new powers to issue control and preventative detention orders for the purpose of protecting the public from terrorist acts. The exercise of these powers is likely to result in law enforcement and intelligence agencies collecting and using greater quantities of personal information. Those powers need to be well considered to ensure an appropriate balance is achieved between community safety and individual privacy.

Handling of personal information collected under control and preventative detention orders and other activities

20. Changes in information handling include new section 104.5(3)(j), which may require an individual to be photographed as part of a control order, and new section 104.5(3)(k), which makes it a requirement that impressions of fingerprints are taken. This information is to be collected as part of a control order and can be invoked without charge.

21. The Office notes that new section 104.22(1) requires that the fingerprints and photographs collected under the above sections, must only be used for the purpose of “ensuring compliance with the relevant control order”. This requirement seems consistent with the privacy principle that information only be used or disclosed for the purpose for which it was initially collected.

22. New section 104.22 outlines a retention period for fingerprints and photographs taken under new section 104.5(3). This section requires that once a 12 month period has elapsed following the cessation of a control order and provided no proceedings have been brought or they have been discontinued, the information is to be destroyed as soon as practicable. While the Office supports the destruction of records when they are no longer required and the inclusion of a set period is useful, it is not made clear in the Bill or the Explanatory Memorandum why the retention period has been prescribed as 12 months.

23. Similarly, it is not clear why the retention period (under new section 105.44) for information collected under new section 105.43 (pursuant to a preventative detention order) has been prescribed as 12 months

24. The Office would suggest that the Committee may wish to consider whether different retention periods may be more appropriate, for example; a lesser period of 6 months may be appropriate in some circumstances.

25. The Office notes that new section 104.5(3)(d) specifies that a term of an interim control order may be to wear a tracking device, section 105.23 gives a power to conduct a frisk search and section 105.24 an ordinary search. Whilst these types of activity may not ordinarily be regulated by the Privacy Act, records created from such activity may be.

26. Given that personal information may therefore be collected through these new methods it is important to balance the privacy protections with the potential collection and use of the information. However, unlike elsewhere in the Bill, these sections do not address the question of how long personal information, once collected in these ways, may be retained. An approach, which is consistent with best privacy practice, would be to destroy the information once it is no longer necessary for the purpose for which it was collected.

27. The Office acknowledges that some of the information collected through these activities will not always fall within the definition of personal information provided in section 6 of the Privacy Act, and therefore may not be regulated by the IPPs or NPPs. The handling of such information, and the activities themselves may, however, fall within the broader notion of privacy (which includes bodily privacy) covered by Article 17 of the International Covenant on Civil and Political Rights.[3]

Reporting of control and preventative detention orders

28. New sections 104.29 and 105.47 require the Attorney-General to report to Parliament annually on the operation of control orders and preventative detention orders respectively for the previous year. The Office supports the requirements for the Attorney-General to report to the Parliament regularly.

Schedule 6—­Powers to obtain information and documents

General Comments

29. The Office notes that Schedule 6 of the Bill appears to represent an expansion in the information collection powers of the Australian Federal Police (AFP). These include new sections 3ZQM, 3ZQN and 3ZQO which are discussed in greater detail below.

30. The result of this Bill being enacted would be to permit greater collection of personal information by the AFP including from private sector organisations, without warrant. While such collection and disclosure would comply with the AFP’s obligations under the Privacy Act, as it would be authorised by law, careful consideration should be given to the enactment of such powers as they may detract from the intent and spirit of the Privacy Act.

31. An agency’s collection of personal information must comply with the Information Privacy Principles (IPPs), which are underpinned by the expectation that the handling of personal information will be open and transparent and in a way that the individual concerned would reasonably expect. The IPPs expressly require that, amongst other things, the collection of personal information should be necessary for a lawful purpose or for a purpose directly related to that purpose.[4] In addition, the collector must take reasonable steps to ensure collection does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.[5] Where personal information is collected directly from the individual, the individual should be provided notice of the collection, including what the information may be used for.[6]

32. In expanding the powers of law enforcement agencies, this Schedule invests a significant degree of unilateral authority in law enforcement officers going about their required duties with no corresponding guidance as to how this authority should be exercised. Specifically, the test required to request documents is: the authorised AFP officer “believes on reasonable grounds” and the officer must determine what is “relevant to”. There is no obvious guidance on how these subjective terms should be interpreted, posing the risk that they may be interpreted broadly. The Office suggests that such powers should be accompanied by guidance as to how they should be executed.

Power to request information or documents about terrorist acts from operators of aircraft or ships (new section 3ZQM)

33. Under this provision, there is the potential for a large quantity of information to be collected from aircraft operators and operators of cruise liners. As a result, the personal information of large numbers of individuals who are not the subject of investigations and about whom there is no cause for suspicion, could be collected. Such an outcome sits uncomfortably with the notion of necessary collection. It would be preferable for there to be greater explanation as to how such routine surveillance would be useful, including whether it is a necessary and proportional response to the need for greater security.

34. As with the provisions relating to bodily searches and tracking devices, this section does not address the question of how long personal information, once collected, may be retained. As previously noted, an approach which is consistent with best privacy practice would be to destroy the information once it is no longer necessary for the purpose for which it was collected, particularly in relation to the information of people who may not be the subject of interest to law enforcement authorities.

Power to obtain documents relating to serious terrorism offences (new section 3ZQN)

35. New section 3ZQN authorises the collection of documents relevant to serious terrorism offences which “relate to” the matters outlined in new section 3ZQP. While the types of personal information that may be collected under this section are specified, the Office notes that they are prescribed broadly. In addition, it is noted that information may be required where that information ‘relates to’ the prescribed matters.

36. This would seem to create a power for the AFP to demand personal information without judicial warrant that is considerably wider than the power which currently exists. This section appears to substitute the use of notices in place of obtaining warrants. It is the Office’s understanding that only the latter are subject to judicial oversight. The need for this additional power without judicial oversight is not readily apparent.

37. In the absence of further information the Office suggests that a warrant issued by a judicial officer would provide a more appropriate level of oversight.

38. It should be noted that any collection made under this new section, while permitted, would still result in the AFP having obligations under the IPPs as to how personal information may be handled subsequent to collection.

Power to obtain documents relating to serious offences (new section 3ZQO)

39. New section 3ZQO provides for a notice to be issued to a person to produce documents in relation to a ‘serious offence’. A ‘serious offence’ is defined in the Crimes Act and does not include terrorism offences.

40. The accompanying Explanatory Memorandum states that this Bill “…improves the existing strong federal regime of offences and powers targeting terrorist acts and terrorist organisations. The Bill is the result of a comprehensive review of existing federal legislation that criminalises terrorist activity and confers powers on law enforcement and intelligence agencies to effectively prevent and investigate terrorism”.[7]

41. Discussion around the Bill has, in turn, focused on the extent to which the new powers are necessary and proportional as measures to combat the risks posed by terrorism. The introduction of measures that expand the powers of law enforcement agencies to investigate other offences seems to fall outside of the stated purpose of the Bill. Such measures are likely to have policy objectives distinct from those that underpin the main provisions of the Bill relating to terrorist activity and should be able to be separately scrutinised and pursued through stand-alone legislation.

42. The Office notes that this new section covering serious (non-terrorism) offences includes an element of external oversight, in that a notice issued under the section must be subject to an application made to a Federal Magistrate. Such oversight is not provided in case of serious terrorism offences under new section 3ZQN (as discussed at paragraphs 35-38). .

43. The Office recommends that the provisions of new section 3ZQO be pursued through separate legislation after appropriate scrutiny and consultation.

Schedule 8—Optical surveillance

44. The Explanatory Memorandum to the Bill explains that Schedule 8 will insert a new Division into the Aviation Transport Security Act (2000) (ATS Act) by enabling the Minister to determine a code regulating and authorising the use of optical surveillance devices at airports. This code would operate to the exclusion of state or territory law.

45. The use of closed circuit television is expected to assist in the provision of aviation security.[8] However, it is noted that new section 74J explains that the purpose of the proposed division includes preventing and detecting breaches of the ATS Act or any other law of the Commonwealth. Such a provision seems to envisage optical surveillance being used for purposes that may be unrelated to either airport security or anti-terrorism.

46. The Office acknowledges that the use of surveillance devices may assist with airport security and anti-terrorism. This potential was noted, for example, in the report of the recent Airport Security and Policing Review.[9]

47. However, it should also be recognised that such technology allows for the routine and indiscriminate surveillance of large numbers of people, for example, in public spaces such as airport arrival halls. For many of these people, there may be no cause for suspicion and hence no reason to collect information about them.

48. One of the primary principles of privacy is that personal information should only be collected where it is necessary. Accordingly, it is important that proposals envisaging routine optical surveillance are pursued carefully so as to ensure an appropriate balance is struck between the public interest in a safe and secure society and the right of individuals to privacy.

49. Achieving such a balance requires that optical surveillance measures should only be pursued where necessary to achieve a clear objective and where such measures constitute a proportional response to a defined threat or problem. Such measures should also be subject to appropriate oversight to ensure that personal information is not misused.

Optical surveillance code for aviation industry participants

50. The Office notes that a code made under this Schedule would apply to ‘aviation industry participants’, including private sector organisations such as airlines and airport operators, as well as other organisations prescribed by regulation. In many cases, such organisations will fall under the jurisdiction of the Privacy Act and be bound by the National Privacy Principles in the manner they handle personal information. Similarly, aviation industry participants that are Australian Government agencies will be bound by the Information Privacy Principles. Other entities, particularly some small businesses or state or territory government bodies, would not fall under the jurisdiction of the Privacy Act.

51. Although neither the Bill or the Explanatory Memorandum explain the purpose of the code, the Office notes that new section 74K(2) states that the code “…may regulate and authorise the use or disclosure of a signal, image or other information obtained by the use of the optical surveillance device”. Such a provision seems to provide an opportunity for appropriate regulation to be made to limit the way in which personal information collected by CCTV may be handled. The Office notes that such regulation, particularly if made consistent with the principles of the Privacy Act (including provision for complaint handling and oversight, such as independent audit), could help engender community confidence that personal information collected by optical surveillance to prevent and investigate terrorism will not be misused.

52. Making such proposed codes consistent with the principles of the Privacy Act would also ensure that organisations not currently under the Privacy Act’s jurisdiction, for example, companies with a turnover of less than $3 million, handle information collected pursuant to the code in an appropriate way.

53. The Office suggests that the section provide for the Minister to consult with various parties when making such a code, including with the Privacy Commissioner. Additionally, the section should specify the need for and manner of any future review of the code.

Proposed National Code of Practice for CCTV for the mass passenger transport sector

54. The Office also notes that the Council of Australian Governments (COAG) has agreed to the development of a National Code of Practice for CCTV systems for the mass passenger transport sector, which will contain guidelines on the handling and privacy of personal information.[10] The relationship between this COAG initiative and Schedule 8 of the Bill is unclear.

55. As noted in paragraph 10, the development of an optical surveillance code for the purposes of this Schedule could be usefully informed by conducting a Privacy Impact Assessment as part of its development.

Schedule 9—Financial transaction reporting

56. The Explanatory Memorandum to the Bill notes that Schedule 9 contains amendments to the Financial Transaction Reports Act 1988 (FTR Act) to “…better implement the Financial Action Task Force on Money Laundering’s (FATF’s) Special Recommendations VI (SR VI), VII (SR VII) and IX (SR IX)”. These amendments are summarised below in terms of the Special Recommendations.

Registration of informal networks

57. To implement SR VI, Items 5 and 11 of the Schedule will require the registration of ‘informal networks’ for the transmission of money or value. The term ‘informal networks’ is broadly canvassed in the Explanatory Memorandum. It is understood, however, that certain cash dealers will be required to provide to AUSTRAC ‘prescribed particulars’ regarding identifying information. The scope of these amendments is unclear and it is difficult to determine how much more personal data will be collected and stored by AUSTRAC.

International wire transfers to include customer data

58. To implement SR VII, Item 10 of the Schedule will require cash dealers to include identifying particulars regarding their customers in international funds transfer instructions. These instructions, whether into or out of Australia, are currently reported to AUSTRAC under the FTR Act. Again, there is no indication of the scope of these amendments and no understanding of the volume of personal information collected by AUSTRAC.

Interdiction of cash couriers

59. To implement SR IX, a number of items including Item 9, will require a transborder courier, of both currency and ‘bearer negotiable instruments’, to prepare, on request, a report to AUSTRAC of details about the courier and/or the person on whose behalf the instruments or currency is being carried. These obligations are supported by powers under Item 18 to question and search couriers in certain circumstances.

60. As a general observation, some amendments, intended to extend the scope of the reporting obligations and the provision of personal information to AUSTRAC, are supported by criminal sanctions, including terms of imprisonment (see, for example, Items 12, 13, 14 and 15).

Existing Anti-Money Laundering (AML) reform

61. Since 2003, the Office has been consulted by the Attorney-General’s Department (AGD) on privacy issues relevant to the proposed Anti-Money Laundering Bill (the proposed AML Bill). It is understood that the provisions of proposed AML Bill were intended to implement all FATF Recommendations, including the Special Recommendations, to meet the challenges of money laundering and terrorist financing.

62. The Office understands that the AML Bill was being developed through a carefully planned process of public consultation, including the conduct of ‘roundtable’ discussions between the Minister and industry leaders. An Exposure Draft is to be released before the end of the year.[11] Widespread consultation on this legislation with the community has been, and continues to be, supported by the Office.

63. In advice to the AGD, the Office has previously advocated the strong desirability of conducting a Privacy Impact Assessment (PIA). As noted in paragraph10 of this submission proposed Schedule 9 has the attributes that support the adoption of a PIA process.

National privacy protections for financial data and the importance of community confidence

64. As the amendments in Schedule 9 are understood, there will be new reporting obligations placed on a comparatively large number of financial entities. In terms of the Privacy Act, some of these entities may be exempt from the legislative obligations usually attaching to the information handling acts and practices of private sector organisations.[12] It is also unclear whether the current amendments are intended to cover the agencies of the states and territories, only some of which are subject to privacy legislation.

65. The implications of this uneven coverage of the private sector and, possibly, many public sector agencies, is that large amounts of often sensitive financial and other personal data handled by these entities will not be protected by any privacy legislation - national, state or territory. This situation is compounded by the current obligations in Part VIA of the FTR Act for financial institutions to retain data, such as customer‑generated financial transaction documents, for a minimum of seven years.

66. Community research conducted by the Office has demonstrated a notable reluctance in the community to deal with business, when there are concerns about the privacy of their personal information being protected.[13] The existence of, and compliance with, effective privacy regulation enable business to enlist community confidence. The effective implementation of legislative measures to counter money-laundering and the financing of terrorist activities will depend in large part on the willing cooperation of the business community in providing critical financial data to law enforcement agencies. This in turn will be underpinned by the understanding and confidence on the part of the community as to what happens to their financial data.

67. The Office is concerned about the consequences of bringing forward the amendments to the FTR Act before the planned consultation process for the proposed AML Bill. Such an outcome may produce an unintended loss of community and business confidence in the anti-money laundering and counter-terrorist financing framework.

68. Rather than the amendments to the FTR Act being made at this time, the Office recommends that Schedule 9 remain the subject of the careful consultation and assessment process being undertaken by the Minister for Justice and Customs and his Department as part of the AML reform agenda.

Schedule 10—ASIO powers etc

69. While the acts and practices of ASIO do not fall within the jurisdiction of the Privacy Act, the Office would still recommend that any expansion in its powers in relation to the collection, use and handling of personal information should be accompanied by strong guidance in relation to best practice in the handing and disposal of that information.

70. The new section 23 introduced by Item 2 of Schedule 10 grants ASIO additional powers to collect personal information from the operators of ships and aircraft, including regarding crew and passengers. The Schedule introduces an offence for not producing such documents. In many cases, the exercise of this power could result in the collection of personal information about individuals who are not the subject of inquiry and about whom there is no cause for suspicion.

71. The Office notes that there is no guidance on the grounds on which the Director-General, or senior officer authorised in writing, may authorise an ASIO officer to exercise this power (see, new section 23(6)).

72. The Office suggests that guidance from the Inspector-General of Intelligence and Security in relation to the collection, use and disposals of records by ASIO, particularly those relating to individuals not the subject of interest to ASIO would be beneficial.

Summary

73. The Office of the Privacy Commissioner (the Office) is of the view that there should be an appropriate balance between the need for security and the right to privacy.

74. The right to privacy is not an absolute. It may be necessary to balance this right with other important social interests, such as the safety and security of the community.

75. This Office notes that a number of new provisions contained in the Bill will expand the power of law enforcement and intelligence agencies to collect personal information about individuals, including through routine surveillance and electronic tracking. Any such expansion is likely to diminish, to varying degrees, the privacy of individuals by eroding their ability to control personal information about themselves. Such expansions lessen the protection of an individual’s personal information that would have otherwise been provided by the Privacy Act.

76. The Office notes that a formal Privacy Impact Assessment could assist in clarifying the need for, and subsequently implementation of several aspects of the Bill where large amounts of personal information will be collected, notably Schedules 8 and 9. (see paragraphs 10 and 11, paragraph 56 on Schedule 8 and paragraph 64 on Schedule 9).

77. The Office notes the importance of reviewing the operation of the changes and recommends that explicit statutory commitment be given to their review, together with detailed process for the review (see paragraphs 15-18).

78. The Office has not commented specifically on changes to definitions in relation to criminal offences, including those introduced in Schedules 1, 3 and 7. In general though, the creation of new offences, or the amendment of existing offences, will often permit law enforcement or intelligence agencies to perform acts and practices that may otherwise, in the absence of that law, constitute an interference with an individual’s privacy. Accordingly, any such changes to law should include as a consideration whether privacy rights will be diminished, the impact on individuals should this occur and whether such an outcome is, on balance, proportionate to the need for greater security.

79. Schedule 4 outlines the retention periods for fingerprints and photographs taken pursuant to new sections 104.5(3) and 105.43. It is not made clear in the Bill or the Explanatory Memorandum why this information needs to be retained for 12 months after a control or preventative detention order ceases and where there is no ongoing action being taken against the individual. The Office would suggest that the Committee may wish to consider whether different retention periods may be more appropriate, for example; a lesser period of 6 months may be appropriate in some circumstances.(see paragraphs 20-24).

80. The Office also notes controls should be included in the Bill in relation to the collection of personal information from the use of tracking devices and searches outlined in Schedule 4. (see paragraphs 25-27)

81. The Office recommends that the provisions introduced by Schedule 6 (new section 3ZQO) concerning offences that are not terrorism offences be pursued through separate legislation after appropriate scrutiny and consultation. (see paragraphs 39-43).

82. As regards the provisions introduced by Schedule 8, the Office notes that the use or optical surveillance, such as closed circuit television (CCTV), poses the risk of unnecessary routine and indiscriminate surveillance of large numbers of people, about who there may be no cause for suspicion. (see paragraphs 44-49)

83. The Office notes that the provision in Schedule 8 for the Minister to issue a statutory code of practice as to how information collected through optical surveillance may be handled. The Office notes that such regulation, particularly if made consistent with the principles of the Privacy Act (including provision for complaint handling and oversight, such as independent audit), could help engender community confidence that personal information collected by optical surveillance, to prevent and investigate terrorism, will not be misused. (see paragraphs 50-53)

84. The Office suggests that Schedule 8 provide for the Minister to consult with various parties when making a code for optical surveillance, including with the Privacy Commissioner and that a Privacy Impact Assessment could usefully inform the code’s development. (see paragraph 53 and 55).

85. In relation to the amendments to the Financial Transactions Reports Act (1988) (FTR Act) contained in Schedule 9, the Office notes the valuable widespread consultation that has been conducted by the Minister for Justice and Customs and his Department on reform of Anti-Money Laundering and the Suppression of Terrorism Financing regulation since 2003. (see paragraphs 56-63)

86. Rather than the amendments to the FTR Act being made at this time, the Office recommends that Schedule 9 remain the subject of the careful consultation and assessment process being undertaken as part of the AML reform agenda. (see paragraphs 67-68)

87. The Office suggests that guidance from the Inspector-General of Intelligence and Security in relation to the collection, use and disposals of records by ASIO, particularly those relating to individuals not the subject of interest to ASIO would be beneficial. (see paragraphs 69-72)

Attachment 1

Office of the Privacy Commissioner

Framework for assessing and implementing new law enforcement and national security powers

The Office of the Federal Privacy Commissioner has developed a proposed framework for assessing and implementing new law enforcement and national security powers. The framework sets out a life cycle approach to such proposals from development to implementation and review. The aim of the framework is to bring balance and perspective to the assessment of proposals for law enforcement or national security measures with significant effects on privacy.

First, careful analysis is needed in the development phase to ensure that the proposed measure is necessary, effective, proportional, the least privacy invasive option and consistent with community expectations. This analysis should involve consideration of the size, scope and likely longevity of the problem, as well as the range of possible solutions, including less privacy invasive alternatives. The impact on privacy of the proposed solution should be analysed and critical consideration given to whether the measure is proportional to the risk.

Second, the authority by which the measure is implemented should be appropriate to its privacy implications. Where there is likely to be a significant impact on privacy, the power should be conferred expressly by statute subject to objective criteria. Generally, the authority to exercise intrusive powers should be dependent on special judicial authorisation. Intrusive activities should be authorised by an appropriately senior officer.

Third, implementation of the measure should be transparent and ensure accountability. Accountability processes should include independent complaint handling, monitoring, independent audit, and reporting and oversight powers commensurate with the intrusiveness of the measures.

Finally, there should be periodic appraisal of the measure to assess costs and benefits. Measures that are no longer necessary should be removed and unintended or undesirable consequences rectified. Mechanisms to ensure such periodic review should be built into the development of the measure. This could involve a sunset clause or parliamentary review after a fixed period.